Skip to content

Commit

Permalink
#281 fix improve short reports, improve Oletools long report and mana…
Browse files Browse the repository at this point in the history 
…ge some exceptions
  • Loading branch information
@jeromeleonard
jeromeleonard committed Jun 19, 2018
1 parent e719da3 commit d1552b2
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 10 deletions.
27 changes: 21 additions & 6 deletions analyzers/FileInfo/submodules/submodule_oletools.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,24 +51,39 @@ def module_summary(self):
for section in self.results:
if section['submodule_section_header'] == 'Olevba':
predicate = 'Olevba'
type_list = []
for a in section['submodule_section_content']['analysis']:
if a["type"] not in type_list:
type_list.append(a["type"])
if len(section['submodule_section_content']['macros']) > 0:
type_list = ['VBA']
add_VBA = True
else:
type_list = []
try:
for a in section['submodule_section_content']['analysis']:
if a["type"] not in type_list:
type_list.append(a["type"])
except:
type_list.append("None")


if "Suspicious" in type_list:
level = 'suspicious'
if "VBA string" in type_list:
taxonomies.append(self.build_taxonomy(level, namespace, predicate, "VBA string"))
add_VBA = False
if "Base64 String" in type_list:
taxonomies.append(self.build_taxonomy(level, namespace, predicate, "Base64 string"))
add_VBA = False
if "Hex String" in type_list:
taxonomies.append(self.build_taxonomy(level, namespace, predicate, "Hex string"))
add_VBA = False
if "VBA" in type_list and add_VBA:
taxonomies.append(self.build_taxonomy(level, namespace, predicate, "Macro found"))
if "None" in type_list:
taxonomies.append(self.build_taxonomy("safe", namespace, predicate, "None"))

if section['submodule_section_header'] == 'DDE Analysis':
predicate = 'DDE'
if section['submodule_section_content']['Info']:
level = 'info'
if section['submodule_section_content'].get('Info'):
level = 'safe'
taxonomies.append(self.build_taxonomy(level, namespace, predicate, 'None'))
else:
level = 'suspicious'
Expand Down
11 changes: 7 additions & 4 deletions thehive-templates/FileInfo_3_0/long.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,11 +90,14 @@ <h4 class="panel-title">Summary</h4>
</tbody>
</table>
</div>
<div ng-if="!r.submodule_section_content.analysis">
No VBA analysis found
</div>
</div>

<!-- Macros -->
<div uib-accordion-group class="panel-primary" heading="Macros" is-open="false">
<div ng-if="r.submodule_section_content.macros != ''" ng-repeat="m in r.submodule_section_content.macros">
<div ng-if="r.submodule_section_content.macros.length > 0" uib-accordion-group class="panel-primary" heading="Macros" is-open="false">
<div ng-repeat="m in r.submodule_section_content.macros">
<dl class="dl-horizontal">
<dt>vba_filename</dt>
<dd class="wrap">{{m.vba_filename}}</dd>
Expand All @@ -111,13 +114,13 @@ <h4 class="panel-title">Summary</h4>
</div>

<!--Deobfuscated code -->
<div uib-accordion-group ng-if="r.submodule_section_content.code_deobfuscated != ''" class="panel-primary" heading="Deobfuscated code" is-open="false">
<div uib-accordion-group ng-if="r.submodule_section_content.code_deobfuscated" class="panel-primary" heading="Deobfuscated code" is-open="false">
<pre>
{{r.submodule_section_content.code_deobfuscated}}
</pre>
</div>
</uib-accordion>
<div class="panel panel-primary" ng-if="r.submodule_section_header=='Oletools DDE Analysis'">
<div class="panel panel-primary" ng-if="r.submodule_section_header=='DDE Analysis'">
<div class="panel-heading">
<h4 class="panel-title">{{r.submodule_section_header}}</h4>
</div>
Expand Down

0 comments on commit d1552b2

Please sign in to comment.